I have following subdomains:
api.example.com
app1.example.com
app2.example.com
I am using nginx as web server to serve all of those. api.example.com is python-flask application which I am developing. app1.example.com and app2.example.com are static js content, not developed by me.
Nginx is configured to allow cross-origin resource sharing.
app1 and app2 are making requests to the api, and api sets cookie on response to some of those requests.
Cookies are set like this:
response.set_cookie(
key='some_cookie_name',
value=some_token,
max_age=current_app.config["JWT_EXP"],
secure=True,
httponly=True)
path is by default set to '/',
domain attribute is not present in response, samesite attribute is not present as well,
all above according to this documentation.
Correct me if I am wrong, but according to my understanding, when app1 requests an api resource (which is setting cookie), this cookie is bounded to app1.example.com and should not be present on app2.example.com (and vice versa).
Behaviour which I am observing on chrome is differernt.
Setting cookie on app1 request, and then setting cookie (with the same name) on app2 request, overrides cookie on app1. app2 subdomain have no cookies present (inspecting with chrome developer tools).
Now, when I change the name of the cookie for the second subdomain (app2), cookies still will not be present on app2, however, second cookie with different name is now visible on app1 subdomain.
It looks like whatever I do, all cookies are set on app1 subdomain. Those cookies are also present when inspecting example.com.
Moreover, when app2.example.com makes request to the api its sends back all cookies visible on app1.
Is this behaviour correct? Does it due to CORS enabled on server side? How can I separate cookies between app1 and app2?
Aucun commentaire:
Enregistrer un commentaire